I'm making an online frontend for a system. This system is normally used by a business providing a service to a customer. The customer will have the option of using this online frontend in addition to dealing directly with a real person at the business.

Now, the user logs into the online frontend using an email address as a username. This email address was associated with their account by the business. At any time, the user can change this email address via direct communication with the business. If the user has changed their email address in the manner, what happens?

Clearly, the new email address needs to log the user in seamlessly. What happens with the old email address when the user tries to login?

Do we throw up an "invalid email" error?

Do we prompt the user to login using the new email address?

Do we allow the user to login using the old address, but display a prominent option in the frontend asking them to switch over?

As a lazy programmer, I'm leaning toward the second option. Maybe the third option is more usable? It seems like it'd add another layer of complexity, both in the program and in how the user has to think about their account.

4 Answers
4

You should throw up an "invalid email" error. It's the most transparent, communicates exactly what has happened, and the user can immediately adjust behaviour based on that feedback, with a low likelihood of seeing that same message again. Let me run through why the other options aren't a good idea:

Prompting to log in with the new address is a security anti-pattern. If I know your old email address, I can now discover what your new email address is given that I know you use service X. This could be a privacy concern, especially on for instance a dating site or social network. (Edit: this is only a problem if you actually display the new email address; I misread your bullet and thought that was what you were saying. The point still stands though :)

You don't know why the user is changing his/her email address, so it's risky to continue locking that email address to this account. For all you know they canceled their account with their previous email host and that address is now used by someone else who may also want to access your service (unlikely, but in theory!).

If you implement the "invalid email" warning, you can make things slightly friendlier using our trusty low-cost friend, Copywriting:

The email address or password you entered is invalid. [...] Perhaps you changed the email address you use to log in?

You could also offer the ability to request which email address is being used to log in. To do this without ending up with the abovementioned anti-pattern, allow the user to input his/her old email address and then display a message saying "we sent an email to the address we have on file that you're using to log in". Then the user will be able to remember which email address they're using by association from the email you send them. Of course, you need to doublecheck that users don't mind that you retain a log of their past email addresses - they may not appreciate it.

All of the above goes quite a bit beyond what most consumer-facing websites will implement in terms of user-friendliness. Usually, changing your email address is a permanent change and there's no way to fix things if you forget that you made that change. Consider your Google account, for instance: change the email address there, and forget, and you probably have a pretty big problem outside of having a telephone number registered that they can text you something to.

Edit: Clearly the best solution is a combination of your first and second points, which I neglected to read thoroughly before writing this answer. Most of the answer still makes sense, though.

On a security vs usability note -- the reason why some systems don't say whether it was the email or password that was entered is because by saying 'invalid email' you're conversely giving a hacker a signal that a given email does work when it is present.

So I'd not say 'invalid email' -- I'd say 'email or password was not recognised'.

If the email address is being used as the Unique ID, then I'd expect the system to have forgotten the original email and is now associating me with the new one. So I'd expect an error. Perhaps the message could suggest that they may have changed their email address.

Whatever you do, please have an email go to the original email address when changing to the new email address along the lines of "The email address for this account has been changed to [new email]. If this is incorrect, please [add a link to dispute this change]."

If you send to the old email a message containing the new email address, isn't that the same security anti-pattern Rahul advised against in the first bullet point of his answer? Although I hadn't thought about it in the context of the service account itself being compromised. Maybe a good middle ground would be sending an email notification without the new address?
–
JamesSep 20 '10 at 20:19

+1 on emailing the old address when you change addresses. @James no, because it's not made public. My concern was specifically with printing "That email is invalid. Please log in with abc@xyz.com" or something similar. I think you should send an email to the old account with the new address, because even if the old one is compromised, the attacker probably doesn't have access to the new one anyway, and if I get access to your account and change email addresses, this acts as a security countermeasure - I'll see the email arrive, realise I never changed the address, and take action.
–
Rahul♦Sep 20 '10 at 20:29

@James...I'd agree--no need to send the new email address. It's just to say 'hey! someone is changing your account!". There is the risk, I suppose, that your old email could have been compromised and THAT is why you are changing it so...hmm...interesting paradox. I'd have to ponder that a bit...
–
DA01Sep 20 '10 at 20:40

This question is a bit misleading because it uses the word "email address" when in fact it applies to any unique string which identifies the user. There are separate concerns regarding sending confidential information to a potentially wrong email address; I won't address those.

Regarding the "user identification string has changed" problem, the website where I work has implemented a solution that works as follows:

When a user ID changes the old ID is still reserved for a period of time.

When a user logs in with their new ID the old ID is freed for re-use by another user later.

If the user logs in with the old ID the system shows them a page that indicates that their ID has changed and what the new ID is. This is considered secure because the ID is just a name and the password is required. Presumably only the user knows his/her password.

On the "username changed" page there is a link which takes the user into the site. Clicking that link frees the old ID. Future attempts to log in with the old ID fail.

If a user is changing their Id because of a security concern then what they really should be doing is changing their password. In this case the ID is a publicly known username, so changing it for security purposes has no benefit.

If you need to ensure that an email is being sent to the proper address, you need to implement some kind of system where the recipient of the email can authenticate the email address and prove the receipt of the mail, perhaps including some out-of-band information such as an SMS message or something. That's a separate problem, however.

I've used many sites that allow the user to change their email address, but very few that allow the user to change a non-email login name.
–
JamesSep 29 '10 at 18:19

In this instance, your solution would be an implementation of the security anti-pattern mentioned in the accepted answer. It's valid to change an email address for security reasons, because a compromised email account may be used to recover any new password set on the account. This falls into the concerns about sending confidential information to a potentially wrong address, which are directly relevant to the question asked. So no, in this case an email address is not just a unique string which identifies the user.
–
JamesSep 29 '10 at 18:31

@James: I guess you missed the part about the user being required to know both the old email AND the password? How is it a "security anti-pattern"? And the question does not state, at any point, anything about actually sending email to either the new or old email address.
–
Mr. Shiny and New 安宇Sep 29 '10 at 19:39

@James: in the scenario I've outlined, during the window between the changing of the username and the next login we accept two usernames for the account. In my scenario the username is not an email address so we don't have to worry about "forgot password" email messages. Clearly if the email address recorded in the system has been updated (and especially if you consider it "verified") then you don't send email to the old email address.
–
Mr. Shiny and New 安宇Sep 29 '10 at 19:42